Understanding the Windows SMB NTLM Weak Nonce Vulnerability

Black Hat USA 2010

Presented by: Agustin Azubel, Hernan Ochoa
Date: Wednesday July 28, 2010
Time: 11:15 - 12:30
Location: Milano 5+6+7+8
Track: OS Wars

In February 2010, we found a vulnerability in the SMB NTLM Windows Authentication mechanism that have been present in Windows systems for at least 14 years (from Windows NT 4 to Windows Server 2008). You probably haven't heard about this vulnerability, but basically the authentication mechanism used by all Windows systems to access remote resources using SMB was flawed, allowing attackers to get read/write access to remote resources and remote code execution without credentials, using different techniques such as passive replay attacks, active collection of duplicate challenges/responses, and prediction of challenges. This vulnerability is also a good example of flaws found in challenge-response authentication mechanisms.

This presentation will describe the vulnerability in detail, including its scope and severity, explain different techniques to exploit the flaws found and demo fully functional exploit code.

Hernan Ochoa

Hernan Ochoa has been an Independent Security Consultant / Researcher with 14 years of experience. Began professionally in 1996 with the creation of the Virus Sentinel antivirus software (file/memory/mbr/boot sector detection/removal, signature based with heuristics to detect polyformic viruses), virus database with detailed technical description and SWAN newsletter. Joined Core Security Technologies in 1999 and worked there for 10 years; began as a security consultant and exploit writer, then moved to the design and development of several low-level/kernel components of a multi OS security system (win3.1/win95/winnt/novell/DOS) to be installed in a financial institution (later simplified and released publicly as CORE FORCE) also acting as the "technical lead" for anything related to the aforementioned OSes. Finally moved back to the consulting department as the Expert Security Consultant performing security assessments, developing methodologies, security tools and contributing to CORE IMPACT with new attack vectors,developing modules and shellcode. Tools published include Universal Hooker (runtime instrumentation using dynamic handling routines using python) Pass-The-Hash Toolkit for Windows and WifiZoo among others. Currently he works as an independent security consultant / researcher.

Agustin Azubel

Agustin Azubel has been working in the computer security industry since the late nineties. He works as an independent consultant doing reverse engineering, performing traditional software development, writing full featured exploits and delivering in-depth vulnerability analysis. He also worked for almost a decade at core security technologies where he was involved in most of the key projects of that company. He is also a member of the ampliasecurity team.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats